Plugin's option page (http://site/wp-admin/plugins.php?page=capcc-config) is vulnerable for CSRF attack. Which can be used for making attacks for using of SQL Injection and Full path disclosure and Cross-Site Scripting (http://websecurity.com.ua/2699/) vulnerabilities, and also for making possibility of conducting full automated Insufficient Anti-automation attacks.

CSRF + Insufficient Anti-automation:

Because this captcha is vulnerable to SQL Injection which is making via Cross-Site Request Forgery attack, this allows full automated captcha bypass. It's doing via joint CSRF + Insufficient Anti-automation attack, which allows using of the same captcha's image-code pair all the time (lifetime of every image is set in captcha's options, by default it's 24 hours, but this also can be changed via CSRF).

This SQL Injection vulnerability is an example of Persistent SQL Injection. It's first Persistent SQLi vulnerability which I found and the only one which I know. So with this hole I present new type of SQLi vulnerabilities.

Determining of a password via SQL Injection. It's Blind SQL Injection. If script (http://site/wp-content/plugins/capcc/capcc.php?r) shows “Expired.” than false, if “Error” than true. To determine a password it's needed to send multiple CSRF requests, so it'll take a long time. And so making first SQL Injection attack (for single request), for conducting DoS attack, will be much easier.